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FUNCTIONAL SAFETY ENGINEER 
CERTIFICATION COURSE 


Exercise Solutions 


The following slides are arranged by practical number 
and consist of question items followed by answer items. 
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Practical exercise no: 1 


Fault trees 

This practical exercise requires attendees to construct a 
fault tree diagram using the basic principles introduced in 
module 3. 


It uses an example of a simple reactor with automatically 
controlled feeds that has the potential to cause a serious 
risk to plant personnel. Once the basic fault tree has 
been drawn, the model is to be adjusted to incorporate a 
safety-instrumented system and to demonstrate the 
resulting risk reduction. 


The process is a reactor with a continuous feed of fuel and 
oxidant. Two flow control loops are operated under a ratio 
controller set by the operator to provide matching flows of fuel 
and oxidant to the reactor. 


An explosive mixture can occur within the reactor if the fuel 
flow becomes too high relative to the oxidant flow. 


Possible causes are: Failures of the BPCS or an Operator 
error in manipulating the controls leading to sudden loss of 
oxidant feed. 

ASIS is proposed with a separate set of flow meters 
connected to a flow ratio measuring function that is designed 
to trip the process to safe condition if the fuel flow exceeds 
the oxidant flow by a significant amount 


The tag number for this SIF is FFSH- 03 
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Fault tree for risk 
reduction using SIS 
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Exercise No: 2 — SIL Verification 


Task 1 Calculate the single channel PFDavg and spurious trip rate for the high 
temperature trip example. Draw a single channel reliability block diagram and 
calculate using the failure rates in the table the PFDavg and the spurious trip rate 
for each sub system and the overall system using a proof testing interval of 6 
months. 


Assume the system uses 2 relays, 1 relay in the sensor subsystem and 1 relay in 
the logic solver subsystem, The trip actuation uses a solenoid valve and to vent 
the air cylinder on a valve that will drive open and release quench water into the 
reactor. 


Task 2: Recalculate the PFDavg and spurious trip rate for the SIF using the 
second diagram showing 3 high temperature transmitters on a reactor configured 
2003 on the basis of proof testing every 6 months, Beta Factor 10% and MTTR of 
24 hours. 


The 3 temperature transmitters each transmit to a trip amplifier device that acts as 
a high temperature trip device leading to a single channel actuation as in task 1 


Table of fault rates for the Devices 


Channel Device Fail-safe rate per year Fail -danger rate per year 
TE...element 1.5 0.20 

TT .Transmitter 0.5 0.05 

Cable/terminals 0.01 0.00 

TSH....trip amplifier/switch 0.5 0.1 

Relay (each) 0.05 0.002 

Solenoid Valve 0.04 0.02 

Trip Valve 0.4 0.1 


3/4/11 
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Drench Tank 


lool Relay trip 4 
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Single Channel i ease 
High temperature 
Trip 


Reactor 


Ce fault rate As 
As=15+ 05 + 0.01 + 0.5 +0.05+0.05+ 0.01 + 0.04 + 0.4 


Ad = 0.2 + 0.05 + 0.00 + 0.1+0.00210.002 + 0.00 + 0.02 + 0.1 
Dangerous fault rate Ad 


As = 2.56 /yr A. s = 0.05 /yr A. s = 0.45 /yr 


Logic Actuator 


Ad =0.352/yr = Ad = 0.002 /yr = Ad = 0.12 yr 
PED = .088 PED = .0005 PED =.03 


Proof Test Practical 6: Step 1 


nee" Single Channel: PFD = 0.118 


NS= 
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Practical 2: Step 2, 


calculate new values for As and Ad when sensors 
are changed to 2003 


» Sensor Common 
s=10% x 2.56 Cause Factor = 10% 
As = 2.56 /yr 0.256 /yr 


As = 0.05 /yr As = 0.45 /yr 
wh A d2 Xd d3 i. d4 
= 0.352 / = 10% x 0.352 | | = 0.002 /yr = 0.12 /yr 
ees = .0352/yr 
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Practical 2: Step 3, calculate new PFD values 


2003 PFD = (A d)x (Ti)* 


us 3 
A d2 A. d3 = 0.002 /yr A d4 = 0.12 /yr 
= 0.0352 /yr 
A dl = 0.352/yr Proof Test Interval = Ti = 0.5 yr 


PFD = 0.031 PFD =.0088 PFD = .0005 PFD =.03 


Practical 2: Step 3. New Spurious Trip Rate 
for 2003 section 


As =2.56/yr 


2003 As =6(As)?x MTTR ] 


Logic Actuator 


Let MTTR = 24hrs = 24/8760 yrs = 0.0027yr 
2003 A s = 6 (2.56)? x 0.0027 = 0.106 
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Practical 2: Step 4. New Spurious Trip Rate 
for overall loop 


As = 0.362 /yr 


—_——— 
Sensor | As = 0.05 /yr Xs = 0.45 /yr 
Sensor | Logic Actuator 


Practical 2: Step 5 
Compare Results 


Actuator 


Actuator 
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Exercise No: 3 - Determination of SIL by Risk Graph 


This practical exercise requires participants to determine the required SIL of a 
proposed safety-instrumented system using the basic principles and risk graphs 
and calibration parameters for safety, environment and asset loss described in this 
module 


The process is a reactor with a continuous feed of fuel and oxidant. Two flow 
control loops are operated under a ratio controller set by the operator to provide 
matching flows of fuel and oxidant to the reactor. An explosive mixture can occur 
within the reactor if the fuel flow becomes too high relative to the oxidant flow. 


Possible causes are: Failures of the BPCS or an Operator error in manipulating 
the controls leading to sudden loss of oxidant feed. 

ASIS is proposed with a separate set of flow meters connected to a flow ratio 
measuring function that is designed to trip the process to safe condition if the fuel 
flow exceeds the oxidant flow by a significant amount 


The tag number for this function is FFSH- 03 


Assume that the following information has been decided for the reactor. 


The total frequency of the events leading to an explosive mixture is 
approximately once every ten years. 


The consequence of the explosion has been determined to be a vessel 
rupture causing death or serious injury to | person 


The occupancy in the exposed area is less than 10% of the time and is not 
related to the condition of the process. 


The onset of the event is likely to be to be fast with a worst-case time of 
10 minutes between loss of oxidant and the possible explosion. 


The material released from an explosion is not harmful to the 
environment. 


The reactor will cost in excess of £250, 000 to replace. 
Determine the target SIL, EIL and AIL 
Determine the overall target integrity for the SIF 
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- =No safety requirements 


Probability of a=No special safety requirements 
avoidance b =A single E/E/PES is not sufficient 


1,2,3,4 = Safety integrity level 
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IEC 61511 Risk parameters chart (part 3 Annex D) 


EIL=a/AIL=a 


Risk Parameters: 


C — Consequence 


the chance of death is 1 
C:: per event (Range >0.1 to 
> 1.0) = Ce 
F—Occupancy 
Fy: — occupancy is less than 0.1 = F, 
ne 


Starting 


P-— Hazard avoidance probability 
Pe the explosion has a rapid onset (< 10 
Py: minutes) (Range >0.1 to < 1.0) = Pp 

W — Demand rate in the absence of 


the SIF under consideration 
W;: 
Ws: demand rate is estimated at 0.1/yr Gives W2 
W;: 


- =No safety requirements 
a=No special safety requirements 


b =A single E/E/PES is not sufficient 
1,2,3,4 = Safety integrity level 
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Exercise No: 4 - Determination of SIL by LOPA 


This practical exercise requires participants to determine the 
required SIL of a proposed SIS using the basic principles and 
LOPA parameters described in this module 


Liquid is transferred manually to a holding tank before delivery to 
the plant, the operator must stop the pump at 75% Tank Level. 


A Tank Over pressurisation hazard has been identified by the 
HAZOP team, two causes have been identified: 


* Operator fails to stop pump : 0.1 per year 
¢ Level Control Failure: 0.1 per year 


Determine the required target SIL for personnel safety of the High 
Pressure Vent SIF to Flare 


ProSalus Limited 


Exercise No: 4 - Determination of SIL by LOPA 


The tolerable risk for the hazard is 1.0E-05 


The Holding tank has a relief valve installed which is sized for full 
flow and vented to Flare 


The process design is not considered to be fit for purpose 


ProSalus Limited 
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LOPA Worksheet 


Overpressure of Tank 
| 


ee ea 
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el 


Likelihood are 
event/year and 
protection are 
PFD Average 


Additional Mitigation, Relief Valve 
{ 


Protection & 
Mitigation 


7 | Additional Mitigation, Closed Drain ee 
Intermediate Event Likelihood 1.0E-04 
Total Mitigated Event Frequency 


| | 10 | PFDavg required 4.0E-05/1.1E-03 = 9.1E-03 (SIL2) 
| | 14 | Tolerable mitigated Event Likelinood 
se 
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